このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

This guide assumes you have configured Database Monitoring for your Amazon RDS Postgres or MySQL databases.

Before you begin

Supported databases
Postgres, MySQL
Supported Agent versions
7.68.0+

Overview

Datadog’s Autodiscovery enables you to configure monitoring in dynamic infrastructures. You can use this feature to monitor your RDS instances without having to list individual database host endpoints. Autodiscovery automatically discovers and monitors any RDS instances that match the tag criteria specified in your configuration.

With Autodiscovery and Database Monitoring, you can define configuration templates for Postgres or MySQL checks and specify which instances to apply each check to.

Enabling Autodiscovery for RDS clusters

  1. Grant AWS permissions
  2. Configure RDS tags
  3. Configure the Datadog Agent
  4. Create a configuration template

Grant AWS permissions

The Datadog Agent requires permission to run rds:DescribeDBInstances in your AWS account. Datadog recommends that you attach an IAM role policy to the EC2 instance where the Agent is running.

An example policy that grants these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances"
      ],
      "Resource": [
        "arn:aws:rds:<region>:<account>:db:*"
      ]
    }
  ]
}

You can also attach the AmazonRDSReadOnlyAccess policy.

Configure RDS tags

By default, the listener discovers all RDS instances in the account and region where the Agent is running that have the datadoghq.com/scrape:true tag applied. You can also configure the Agent to discover instances with specific tags.

For more information on tagging RDS resources, see the AWS documentation.

If you configure tags as an empty array, Autodiscovery will discovery all instances in the account and region.

Configure the Datadog Agent

Autodiscovery uses an Agent service listener, which discovers all database host endpoints and forwards discovered endpoints to the existing Agent check scheduling pipeline. You can configure the listener in the datadog.yaml file:

database_monitoring:
  autodiscovery:
    rds:
      enabled: true

Note: The Agent only discovers RDS instances running in the same region as the Agent. To determine the region of the instance, the Agent uses IMDS (Instance Metadata Service). If your EC2 instance requires IMDSv2, you must configure the Agent to use IMDSv2 by setting ec2_prefer_imdsv2: true in datadog.yaml, as shown below:

ec2_prefer_imdsv2: true
database_monitoring:
  autodiscovery:
    rds:
      enabled: true

The listener only discovers RDS instances in the account and region where the Agent is running, and only those with the datadoghq.com/scrape:true tag. You can also configure the listener to discover clusters with specific tags.

To specify custom tags for RDS instance discovery in the datadog.yaml file:

database_monitoring:
  autodiscovery:
    rds:
      enabled: true
      tags:
        - "my-instance-tag-key:value"

To monitor all RDS instances in the account and region:

database_monitoring:
  autodiscovery:
    rds:
      enabled: true
      tags: []

The listener queries the AWS API for the list of hosts in a loop. The frequency with which the listener queries the AWS API, in seconds, is configurable in the datadog.yaml file:

database_monitoring:
  autodiscovery:
    rds:
      enabled: true
      discovery_interval: 300

The listener provides an %%extra_dbm%% variable that can be used to enable or disable DBM for the instance. This value defaults to true if the tag datadoghq.com/dbm:true is present. To specify a custom tag for this value use dbm_tag:

database_monitoring:
  autodiscovery:
    rds:
      enabled: true
      dbm_tag:
        - "use_dbm:true"

The %%extra_dbm%% value is true if the tag is present, and false otherwise. It does not set its value to the value of the tag.

Create a configuration template

The Datadog Agent supports configuration templates for the Postgres and MySQL integrations. Define a configuration template for the RDS instances you wish to monitor.

First, add an ad_identifier for RDS-managed Postgres to your configuration template (postgres.d/conf_aws_rds.yaml) file:

ad_identifiers:
  - _dbm_postgres

Then, define the remainder of the template. Use template variables for parameters that may change, such as host and port.

ad_identifiers:
  - _dbm_postgres
init_config:
instances:
  - host: "%%host%%"
    port: "%%port%%"
    username: datadog
    dbm: "%%extra_dbm%%"
    aws:
      instance_endpoint: "%%host%%"
      region: "%%extra_region%%"
    tags:
    - "dbinstanceidentifier:%%extra_dbinstanceidentifier%%"
    - "region:%%extra_region%%"

In this example, the template variables %%host%%, %%port%%, %%extra_dbinstanceidentifier%%, %%extra_dbm%%, and %%extra_region%% are dynamically populated with information from the RDS instance.

Authentication

If you are using password for authentication note that the password provided in this template file will be used across every database discovered.

Securely store your password

Store your password using secret management software such as Vault. You can then reference this password as ENC[<SECRET_NAME>] in your Agent configuration files: for example, ENC[datadog_user_database_password]. See Secrets Management for more information.

The examples on this page use datadog_user_database_password to refer to the name of the secret where your password is stored. It is possible to reference your password in plain text, but this is not recommended.

The following example configuration template is applied to every RDS instance discovered:

ad_identifiers:
  - _dbm_postgres
init_config:
instances:
  - host: "%%host%%"
    port: "%%port%%"
    username: datadog
    password: "ENC[datadog_user_database_password]"
    dbm: "%%extra_dbm%%"
    aws:
      instance_endpoint: "%%host%%"
      region: "%%extra_region%%"
    tags:
    - "dbinstanceidentifier:%%extra_dbinstanceidentifier%%"
    - "region:%%extra_region%%"
IAM authentication

To use IAM authentication to connect to your RDS instance, use the following template:

ad_identifiers:
  - _dbm_postgres
init_config:
instances:
  - host: "%%host%%"
    port: "%%port%%"
    username: datadog
    dbm: "%%extra_dbm%%"
    aws:
      instance_endpoint: "%%host%%"
      region: "%%extra_region%%"
      managed_authentication:
        enabled: "%%extra_managed_authentication_enabled%%"
    tags:
      - "dbinstanceidentifier:%%extra_dbinstanceidentifier%%"
      - "region:%%extra_region%%"

The template variable %%extra_managed_authentication_enabled%% resolves to true if the instance is using IAM authentication.

First, add an ad_identifier for RDS-managed MySQL to your configuration template (mysql.d/conf_aws_rds.yaml) file:

ad_identifiers:
  - _dbm_mysql

Then, define the remainder of the template. Use template variables for parameters that may change, such as host and port.

ad_identifiers:
  - _dbm_mysql
init_config:
instances:
  - host: "%%host%%"
    port: "%%port%%"
    username: datadog
    password: "ENC[datadog_user_password]"
    dbm: "%%extra_dbm%%"
    aws:
      instance_endpoint: "%%host%%"
    tags:
    - "dbinstanceidentifier:%%extra_dbinstanceidentifier%%"
    - "region:%%extra_region%%"

In this example, the template variables %%host%%, %%port%%, %%extra_dbinstanceidentifier%%, %%extra_dbm%%, and %%extra_region%% are dynamically populated with information from the RDS instance.

Authentication

If you are using password for authentication note that the password provided in this template file will be used across every database discovered.

Securely store your password

Store your password using secret management software such as Vault. You can then reference this password as ENC[<SECRET_NAME>] in your Agent configuration files: for example, ENC[datadog_user_database_password]. See Secrets Management for more information.

The examples on this page use datadog_user_database_password to refer to the name of the secret where your password is stored. It is possible to reference your password in plain text, but this is not recommended.

The following example configuration template is applied to every RDS instance discovered:

ad_identifiers:
  - _dbm_mysql
init_config:
instances:
  - host: "%%host%%"
    port: "%%port%%"
    username: datadog
    password: "ENC[datadog_user_database_password]"
    dbm: "%%extra_dbm%%"
    aws:
      instance_endpoint: "%%host%%"
      region: "%%extra_region%%"
    tags:
    - "dbinstanceidentifier:%%extra_dbinstanceidentifier%%"
    - "region:%%extra_region%%"
IAM authentication

To use IAM authentication to connect to your RDS instance, make sure that you are using Agent version 7.67.0 or above and use the following template:

ad_identifiers:
  - _dbm_mysql
init_config:
instances:
  - host: "%%host%%"
    port: "%%port%%"
    username: datadog
    dbm: "%%extra_dbm%%"
    aws:
      instance_endpoint: "%%host%%"
      region: "%%extra_region%%"
      managed_authentication:
        enabled: "%%extra_managed_authentication_enabled%%"
    tags:
      - "dbinstanceidentifier:%%extra_dbinstanceidentifier%%"
      - "region:%%extra_region%%"

The template variable %%extra_managed_authentication_enabled%% resolves to true if the instance is using IAM authentication.

For more information on configuring Autodiscovery with integrations, see the Autodiscovery documentation.

Supported template variables

Template variableSource
%%host%%The RDS instance endpoint
%%port%%The port of the RDS instance
%%extra_region%%The AWS region where the instance is located
%%extra_dbinstanceidentifier%%The instance identifier of the discovered RDS instance
%%extra_dbclusteridentifier%%The cluster identifier of the discovered RDS instance, if one exists
%%extra_dbm%%Whether DBM is enabled on the instance. Determined by the presence of dbm_tag, which defaults to datadoghq.com/dbm:true.
%%extra_managed_authentication_enabled%%Whether IAM authentication enabled on the instance.
This is used to determine if managed authentication should be used for the connection.